This chapter discusses the following topics:
The support libraries
Using daemons
The user authentication profile in the enhanced (protected) password database for enhanced security
Some brief cautions for handling passwords
Tru64 UNIX preserves all traditional UNIX process user and group identities. Additionally, it provides the per-process audit ID (AUID), which is unique to Tru64 UNIX. The AUID is similar in principle to the real user ID, except that it remains unchanged even in cases where the real user ID changes.
The audit ID is associated with all audit records and establishes the user identity even in those cases where the real and effective user IDs have been changed from their values at login.
The audit ID can be set only once in a line of process descendants,
regardless of any process privileges.
The audit ID is set at login to the
authenticated user (the same as the real and effective user IDs) and is inherited
from parent to child when a process forks using the
fork()
system call.
Programs that are created from startup scripts or that are created as
a
result of
respawn
entries in the
inittab
file are created
with an unset audit ID.
Such programs are normally authentication programs
(getty/login
sequences, window managers, trusted path managers) that set the
AUID based on the user that authenticates through that interface.
Programs started through startup scripts typically receive requests for service on behalf of users and spawn a process to service that request. Such programs typically set the audit ID in the child service process based on the requesting process's effective identity. If you are writing this type of program, you should use the SIA routines. The SIA routines properly set up the user's environment in the child process regardless of the security mechanisms in use on the system (BASE, enhanced, DCE, and so forth).
The
getluid() and
setluid() system
calls read and set the
audit ID.
See their reference
pages for details.
18.2 Identity Support Libraries
The Tru64 UNIX operating system provides several library routines
for managing user and group identities.
For example, the
set_auth_parameters() routine is required by some routines used by enhanced security.
It stores
the initial user and group IDs that can later be queried or tested by the
other routines.
If you are writing a program or routine that will be used
with the enhanced security option, you must call
set_auth_parameters() at the beginning of your program's
main()
routine.
Several of the enhanced security routines for querying the authentication
database require the program to have previously called
set_auth_parameters() before changing any of the user or group IDs, or the command
arguments
argc
and
argv.
See the
identity(3)
reference page for more information.
To keep your code portable between security mechanisms, use the SIA
session routines.
18.3 Using Daemons
Whenever a daemon performs an operation at the request of a user program (the client), it acts in one of two ways:
It can run under its own identities, authorizations, and privileges, making its own decisions about what actions the requesting program may or may not perform. In this case, it does not need to change any of its own user identities.
It can have the underlying operating system enforce operations as if the daemon had the client's security attributes (user IDs, authorizations, and so forth).
In the latter case, the daemon needs to establish a set of security
attributes.
The preferred technique is to fork a process, set the identities
and privileges using SIA, and then either perform the actions directly or
execute a program to perform them.
18.4 Using the Enhanced (Protected) Password Database
Although the enhanced (protected) password database is intended mainly for Tru64 UNIX
programs, your programs may need to use the fields described in the following
list.
(These fields are also described in the
getespwent(3)
and
prpasswd(4)
reference pages, the
prot.h
include file, and the administrative
part of this document.)
User name (u_name) and ID (u_id) -- These fields correspond to the user name and ID in
/etc/passwd.
Encrypted password (u_pwd) -- This
field is the real encrypted password.
Retired status (u_retired) -- This
field indicates whether the authentication profile is valid.
If not valid,
login sessions are not allowed.
Once retired, an account should never again
be reused.
Login session priority (u_priority) --
The process priority assigned to programs of the user login session using
setpriority().
User audit mask (u_auditmask) and control
flags (u_audcntl) -- This mask and its control flags,
with the system audit mask, designate the events audited during the login
session.
The
login
program assigns a mask to the user's
login shell.
Audit masks and the control flags are inherited across
exec()
and
fork()
calls.
See
Chapter 19
and the
auditmask(8)
reference page for more information.
Password parameters -- The following parameters describe the login password and its generation:
Maximum length in characters for passwords chosen by the user
(u_maxchosen)
Password expiration interval (u_exp)
Minimum password lifetime (u_minchg)
Password lifetime (u_life)
Time and date of last successful password change (u_succhg)
Time and date of last unsuccessful password change attempt
(u_unsucchg)
User who last changed the password (u_pwchanger)
Password generation parameters (u_genpwd)
User generated password generation parameters (u_pickpw)
Login password requirements (u_nullpw) --
This is sometimes called the "null password option" and controls
attempts to set a null password.
Most administrators do not allow this option.
Times during which a user may login (u_tod) --
This field is formated like the UUCP
systems
file.
(The
systems
file describes when a remote system can be contacted for
file transfer.) It determines the valid times for a user to log in.
Time and date of last login (u_suclog) --
Expressed as a canonical UNIX time (in seconds since 1970).
Terminal used during last login (u_suctty) --
The terminal name is a cross-reference to the device assignment and terminal
control databases.
Number of unsuccessful login attempts since last login (u_numunsuclog) -- This value is used to compute whether the
terminal is disabled due to too many unsuccessful attempts.
Number of unsuccessful login attempts allowed before disabling
(u_maxtries) -- This value is the user-specific limit
for the number of unsuccessful attempts allowed until the account is disabled.
Lock status (u_lock) --
Whether or not the administrator
has locked the account.
A locked profile cannot be used for login or other
services.
Only an explicit request from the system administrator should unlock
an authentication profile, and only programs that handle such requests should
reset the locked field.
A common programming error is to assume that the lock
indicates all lock conditions.
This indicator shows only the status of the
administrative lock.
An account may appear to be locked due to being disabled
by password lifetime expiration or exceeding the number of unsuccessful attempts
allowed for the account.
Your program can assume that with enhanced security enabled, the user
name and ID in the enhanced (protected) password database is maintained by
the system to have a corresponding entry in the
/etc/passwd
file.
18.5 Example: Password Expiration Program
The program named
myexpire
in
Example 18-1
is a program for use with enhanced security that prints the user's password
expiration time as defined in the enhanced (protected) password database.
This program is part of the authentication protected subsystem and runs in
the set group ID (SGID) mode, setting the GID to
auth.
Example 18-1: Password Expiration Program
#include <sys/types.h>
#include <stdio.h>
#include <sys/security.h>
#include <prot.h>
main (argc, argv)
int argc;
char *argv[];
{
struct es_passwd *acct;
time_t expire_time;
time_t expire_date;
/*--- Standard initialization ---*/
set_auth_parameters(argc, argv);
initprivs();
/*--- fetch account information using audit ID ---*/
if ((acct = getespwuid(getluid())) == NULL)
errmsg("Internal error");
/*-- test if personal or system default applies and print --*/
if (acct->uflg->fg_expire)
expire_time = acct->ufld->fd_expire;
else if (acct->sflg->fg_expire)
expire_time = acct->sfld->fd_expire;
else {
audit_db_error(acct); /* audit (externally defined) */
errmsg("No user-specific or system default \
expiration time.");
}
if (!acct->ufld->fg_schange) {
audit_db_error(acct); /* audit (externally defined) */
errmsg("Account does not have successful change time");
}
expire_date = acct->ufld->fd_schange + expire_time;
if (acct->uflg->fg_psw_chg_reqd && \
acct->ufld->fd_psw_chg_reqd) \
expire_date = time((time_t *) NULL);
audit_action(acct->ufld->fd_name, expire_date);
exit(0);
}
Note
The enhanced (protected) password database files are accessible only to processes in the
authgroup. Programs that need to read the enhanced password database files must set the group ID toauth. See thesetgid(2) reference page. To write this information you must set the UID to 0 or to a user ID and have a group ID ofauth.
Tru64 UNIX has been designed so that trusted programs can authenticate their users without specifically asking for passwords. Tru64 UNIX explicitly uses the audit ID for this purpose. Additional password handling is usually not necessary and difficult to handle securely. Appendix D provides an example of a program for password checking.